100834-if-i-get-banned-for-no-reason-again-so-help-me
Content ---- ---- ---- You are right i didn't set up the authenticator because I didn't have a smart phone at the time. Everything is all my fault. | |} ---- Considering you don't need a phone, and you could have at least used a unique email, I wouldn't get too huffy there champ. | |} ---- A bit off topic but you don't need a smart phone for authenticator. Use Winauth. | |} ---- I don't own a smart phone at all, I use google authenticator ... windows app. So yep, still your fault. | |} ---- ---- ---- Lots of people do not use an authenticator and do not get hacked. Do you use different passwords for every web site? How often do you change your email password? Do you ever log into a computer that you do not have complete control over (like in a public library)? Does anyone with bad security practices share a computer with you (like a roommate)? | |} ---- Well, he said he was downloading in the hotel lobby, I'm assuming off of their wireless LAN. Hopefully, with 2FA and on his own wifi (hopefully encrypted), he shouldn't have an issue. | |} ---- ---- The odds of your account being hacked now that you have 2-step in place are basically nil, so you should be good to go. | |} ---- ---- ---- ---- Hey, it's not just an authenticator issue. Take it as a cheap lesson(it's just a game, after all), and do every measures to enhance your security. We know you're hyped up for playing the game, but reconsider buying a second one until settled. | |} ---- One other thing-- be very careful who you give your guest passes to. If they don't protect the account and it's hijacked and used for exploiting, you'll get the ban. | |} ---- ---- I'm at work I cant yet =(. Which brings me to my next question, what is a decent pvp server for Dom? | |} ---- Pergo 1st / Pago 2nd / Widow 3rd NA Hazak EU. | |} ---- You seem rather certain that there isn't a massive security breach on Carbine's end. I wish I shared your confidence. | |} ---- Yup! There's not a drop of evidence for one yet. Really. | |} ---- ---- Considering two-step authentication shouldn't be necessary at all, you might want to check your own level of huffiness. The general acceptance of it - and the tendency of the community to blame the customer - is laughable, albeit in a very sad way. Want this problem fixed? Stop blaming the customer and place the blame where it belongs: Carbine/NCSoft. Sure, it may take them some time to figure out a better way to do security, but they can certainly adjust the way they respond to symptoms right now. A good start would be to end the "every problem is a nail and I am a hammer" response to compromised accounts. For example, instead of banning the account, why not lock it to the usual locations? Or why not send out a one-time passcode for the user to re-enable access? How about requiring a human review of the ban before allowing it to go through? I just gave you three common solutions to a problem that is anything but new... there are hundreds more. Furthermore, there's no reason the OP should be dealing with this for 10+ days. Dial that response time down to single-digit hours, at most. Not enough CS reps? Hire more. Naturally, it's much easier to blame the customer. Though, in all fairness to Carbine/NCSoft, they're not. They're just sitting back letting the community blame itself. | |} ---- I started with that position. But I've never seen an account compromise that was plausibly the fault of Carbine instead of the customer in this game, and in the absence of mass breeches, it's extremely rare that I've seen it in any other games or services. After a while making observations like that, one's default assumptions change. (People are terrible at internet security.) (Heck, look at the in-game security advice on login now. They ask you to either use 2-factor or use unique passwords. Have you got any idea how many customers fail to follow that advice? Lots of people do not see any problem with re-using passwords.) | |} ---- ...aside from what appears to be a massive number of compromised accounts. So your implication is that someone has compromised the hotel's network and is sniffing packets, right? Putting aside the silliness of the idea that someone would do this in order to sniff out Wildstar logins, once again, we're blaming the customer and not the service provider. There's this thing, it's called encryption, and it should be used for things like usernames and passwords. (Frankly, I'd be very surprised if login credentials were not encrypted in transit, but it is a common enough security hole). | |} ---- Follow up on them. Not a one (that I've seen) has been from someone who has demonstrated they could follow decent security practices. | |} ---- You make fair points. People are terrible at internet security. It's a fact. Given that, shouldn't a company interested in preventing their customers from being compromised find better ways of validating credentials? A large portion of the population simply will not get better at internet security. It's (past) time for things to adapt to this reality. | |} ---- Hotel Wifi's are notoriously bad for being kept unsecured. Same with most publicly accessed Wifi's. | |} ---- That's exactly what 2-factor is. If you've got 2-factor turned on, you can be a terrible noob with no security capabilities at all, and odds are that you'll be fine (unless you use WinAuth -- if you use WinAuth and have terrible security practices, then people will steal your WinAuth key). Banks haven't found better ways to protect poorly-secured accounts than 2-factor, and they have a lot more cash at stake. | |} ---- You bet. All the more reason for a company providing a service on the internet that requires credential validation to ensure that sniffed information is useless. Or to find better ways to validate credentials. Image-based verification has been popular as of late, though most implementations are still pretty rudimentary IMO. | |} ---- ---- I disagree: two-factor is not a better way. It's more secure, but that's not necessarily better (it's a subjective measure, I suppose). | |} ---- I see, you want magic. You want them to be able to sprinkle fairy dust on the internet and make it secure and safe without making it any less easy to use. Never mind, carry on! (If someone finds a way to do that, they are not going to waste their time and resources at a game development company.) | |} ---- Okay, so they're halfway towards my original suggestion, in that they're supposedly developing a better system. Now they need to work on the other half. There's no reasonable excuse that the OP has been hung out to dry for a week and a half. There are many solutions to this problem that can be implemented already, I've suggested several in this thread... and only one of them involved properly staffing their CS department. | |} ---- ---- Well, of course I want magic! But what I'm suggesting isn't magic. There are lots of ways to improve security without requiring magic. Here's a stupidly simple one: the general belief seems to be that people are compromised by keyloggers (yet, mysteriously, have no problems with any of their other accounts like email, etc). Have password entry be done with a mouse. Want to talk about improved tech? How about signature-based validation. Do away with keystrokes altogether and have login be based on a stroke-based signature. Or use a system similar to RSA SecurID (without the physical component). | |} ---- You're silly. What would the point of playing through a VPN tunnel be? To secure your vendor trash from compromise? :) I've mentioned around half a dozen other potential solutions in this thread. I'm actually pretty fond of the last one (something akin to SecurID, a system that has been around for almost two decades). | |} ---- The general belief seems to be that people are compromised by keyloggers, but the general belief is wrong, and Carbine knows that. The way people are most often compromised is by using a password for this game that they've used elsewhere, and that was compromised elsewhere. Their security theater for the people who believe active keyloggers are the source is that the 2-factor credentials are entered with the mouse. Signature-based validation requires hardware that frankly almost nobody has. As for RSA SecurID without the physical component... that's precisely what Google Authenticator is. It's the same kind of algorithm used with RSA SecurID, implemented with smartphone software instead of a dongle. They've got something that's in essence RSA SecurID without the physical component, but with the code entered by mouse (two things you asked for). And you've rejected it, which is fine (if you understand things and are following secure practices otherwise), and then complained that they're not doing these things (which isn't fine, because they are). | |} ---- ---- A lot of people don't use seatbelts and never crash. Do you want to risk it too? Just because "lots of people" don't get hacked, it doesn't mean the authenticator is for show only. | |} ---- I travel a lot and I don't want less security with the same options. Its not hard to spend 4-5 seconds typing a code. If someone wanted on your account with your way, they could(changing their ip to mirror near you.) | |} ---- Phones? We don't need no steenking phones! I went with WinAuth for the PC because Sprint (my provider) and the Galaxy Note II (my Android) can occasionally mishandle downloaded apps. And with WinAuth you have the option of adding a 3rd level of verification by adding password access to the authenticator login. So the log in process becomes: Log into the game. Log into the authenticator. Enter the authenticator-generated 6-digit code into the game's 2-Step Verification number pad. Awesomesauce Install WinAuth on one of these: https://www.google.com/#q=USB+flash+drives. Works like a key fob authenticator, just requires the additional step of physically plugging it into a USB port every time you use it. Thus with the WinAuth login password also enabled, flash drive authentication buffs the original 2-Step Verification into 4-Step Verification. Perps need to be physically at the target's computer and manually inserting the flash drive into one of its USB ports to break in. This is even safer than phones because phones can get hacked too. Plus, having passwords in a file on the thumb drive means you don't have to memorize them. So they can be as complicated as you want. Simply copy and paste - which pisses off keyloggers because there are no keystrokes for them to log other than and . For even more safety, remove the thumb drive from the PC once you've reached your character select screen. Also: In Turn Windows features on or off: uncheck both "TELNET Client" and "TELNET Server". In System Protection > System Properties > Remote > Remote Assistance: uncheck "Allow Remote Assistance Connections to this computer". In System Protection > System Properties > Remote > Remote Desktop: select "Don't allow connections to this computer". There is no such thing as unhackable. But this is probably as close as we end users can make it. PRO TIP: WHEN SETTING UP 2-STEP VERIFICATION, SAFELY STORE THE SECRET CODE YOU COPY INTO YOUR AUTHENTICATOR APP BEFORE CLICKING CONTINUE! If something happens to your authenticator (i.e. it no longer generates the 6-digit code) and you are forced to deactivate 2-Step Verification to reset the process, you will need that code. If you do not have that code, it may take weeks to get a new one. I just completed this CS exercise ... you REALLY need to save your code. :wacko: | |} ----